On 30.05.2012 20:36, ccandotti wrote:
>
> The kind of unlocking is:
>
> I have a user with the pass syncronized in ED and AD, i put 3 times a
> bad passwords and the account gets locked. What I want is that when I
> make a modification in my description, IDM reset the login trys.
>
> I hope this explanation is clear enough.
>
> I changed my policy for:
>

...
> <do-set-dest-attr-value name="dirxml-uACAccountDisable">
> <arg-value type="string">
> <token-text xml:space="preserve">false</token-text>
> </arg-value>
> </do-set-dest-attr-value>

...
> Is this policy correct?
>


I'm pretty sure the driver expects true/false here - it might be smart
enough to interpret 0/1 as false/true though - never really tried that.

<rule>
<description>Reset Lockout</description>
<conditions>
<and>
<if-op-attr name="Description" op="changing"/>
</and>
</conditions>
<actions>
<do-set-dest-attr-value name="dirxml-uACAccountDisable">
<arg-value type="string">
<token-text xml:space="preserve">false</token-text>
</arg-value>
</do-set-dest-attr-value>
</actions>
</rule>

However, I am pretty sure what you actually need is:

<do-clear-dest-attr-value name="dirxml-uACLockout"/>

Note that you can only clear this pseudo-attribute, it's not possible to
set it to a specific value.